The digital revolution has changed the way one deals with marketing, advertising, or any kind of data sharing. With the advent of data protection laws like GDPR and CCPA, the concept of opt-in and opt-out has gained a lot of significance in the past few years. One cannot collect, share or use people’s data without their consent unless for reasons that have other lawful bases.
We will discuss what opt-in and opt-out mean and when and how to use them for data processing.
What is opt-in?
The meaning of Opt-in is to give permission or accept something. In other words, it is an affirmative action of giving/seeking user consent.
Now and then you must have seen websites asking you to tick checkboxes. That is one example of opt-in. You can register your consent to their request by ticking the box if you wish.
Opt-in is obtained for several purposes, like subscribing to newsletters, agreeing to terms and conditions, permission to save user details, consent to use cookies, etc.
For example, look at how Spotify uses an opt-in form.
What is opt-out?
Opt-out means an action of users refusing/withdrawing consent in response to a particular event or process.
Not choosing to subscribe to newsletters, unticking a previously ticked checkbox, not consenting to save personal details, rejecting the use of cookies, etc. are some examples of opt-out.
What about opt-in and opt-out in cookies?
The EU Cookie Law and GDPR’s arrival have only tightened the laws around cookies, making opt-in and opt-out, two of the most important measures for compliance.
Opt-in for cookies is simple – ask the users who visit your website for consent to store cookies on their device. And opt-out means rejecting the request or withdrawing the consent later at any time they wish.
You must provide clear and precise information about the cookies (including strictly necessary cookies) and their purpose when users visit a website. So, users can make an informed decision on if they should opt-in or opt-out of the use of cookies.
One of the major decisions around the consent regarding cookies was firmly established after the CJEU-Plant49 judgment.
The judgment stated that the users’ opt-in obtained through pre-ticked checkboxes is longer valid. Also, you cannot bundle multiple consent requests as one. They should be kept separate. The third point of the judgment said that the users must be aware of all the details about the cookies and what consenting to use them will mean. Knowledge of such information will make the decision easy and clear for them.
Opt-in and opt-out on cookies are generally implemented using cookie consent tools.
Here is one example of a cookie consent banner, where you can see both opt-in and opt-out options.
- Sign up on CookieYes for free
- Add a cookie banner
- Scan for cookies
Sign up on CookieYes for free using your email address and website URL.
Copy and paste the unique code to your site to add the cookie banner, which has both opt-in and opt-out options by default.
Scan your website for cookies to find out all cookies and their categories set by your website. This will activate auto-blocking of third-party cookies until users opt in.
When and how to implement opt-in?
Let’s look at some cases where you should use opt-in options and how to implement each of them.
#1 When you collect personal data of people in the EU
… and when none of the below legal bases of processing applies:
- Contractual Obligation
- Legal Obligation
- Legitimate Interest
- Vital Interest
- Public Interest
How: For asking for consent, you can choose one of the opt-in methods:
- Paper form
- Opt-in boxes on paper or electronically
- Opt-in buttons or links
- Yes/No options
- Technical settings or preference dashboard settings
- Emails requesting consent
- Oral consent requests
- Volunteering optional information for a specific purpose
#2 When you use third-party cookies.
You need explicit consent from users in such a case. A simple and clear opt-in option must be provided to them.
How: The opt-in option here can be implemented using cookie consent banners.
#3 When you collect personal data from minors
If you require to collect the personal data of minors, you need parental consent.
How: Parental consent using any of the opt-in methods mentioned above.
#4 When you require email addresses for newsletters and marketing purposes
Often, you may require consent to collect and store the email addresses of users to send newsletters or marketing emails.
How: Some of the ways you can implement the opt-in options are:
- Checkboxes at the end of forms
- Website footer
- First email (note that unless they opt-in for the subscription, you cannot send any more emails)
When and how to implement opt-out?
#1 When you use personal data for various purposes (lawful bases)
Users have the right to reject permission to collect or process their data if they deem it right. You are supposed to temporarily terminate the processing of data or delete the data in such cases.
How: A contact point or link to submit consent opt-out requests.
#2 When you use cookies (especially third-party cookies) for analytical and advertising purposes
Users must be able to withdraw or reject the usage of cookies should they deem it right.
How: Cookie banners must have a reject option or link to manage cookies where they can choose what type of cookie they do not want to be stored on their device.
#3 When You send emails to your users
At any point, if the users feel like they no more want to receive any content on their email addresses, they should be able to unsubscribe.
How: Include an easily accessible unsubscribe link in the emails or on the website.
Frequently asked questions
What is meant by opt-in and opt-out?
Opt-in means to give consent in various situations, like accepting cookies, subscribing to a newsletter, signing up for services or agreeing with terms and conditions or a privacy policy.
Opt-out means to deny or withdraw consent, like rejecting cookies, unsubscribing from a newsletter or denying permission to share your location.
Is opt-in or opt-out better?
It is hard to say which one is better. However, to analyze opt-in vs opt-out from a privacy standpoint, it is always better to have an opt-in option while collecting the personal data of users. It gives users control over their data and to choose if they want to share it. At the same time, it is important to have opt-out in case you want to give users the right to withdraw or change their consent.
Is opt out GDPR compliant?
The GDPR requires businesses to let users opt out of collecting or using their personal data. However, the cornerstone of the regulation is obtaining valid user consent, i.e. opt-in. You cannot use opt-out without having opt-in for GDPR compliance. Even if the users opt in for data collection and processing, they must be able to withdraw consent at any time. Both the options must have equal prominence.
What is an opt-in agreement?
Opt-in agreement between users and businesses where the uses give their consent to businesses to collect or use their information. This consent must be freely given, informed, specific, and unambiguous.
What does it mean to opt-out of something?
To opt out of something in terms of data privacy means to reject or deny consent to use your personal information for business processing. It also means opting out of letting businesses process your information or share them with third parties. One can opt out even after opting in and businesses should ensure they can opt out as easily as they opt in.
When should I use opt-out?
You should use opt-out when you don’t want to participate in an event or want anyone to collect or use your personal data that may interfere with your right to privacy. For example, you can opt out of cookies on a website that is not only necessary for the services you want to avail, but they also collect your personal data for advertisements.
